Firewalls are hardware and software combinations that are built using routers, servers, and a variety of software. they sit at the most vulnerable point between a corporate network and the internet and they can be as simple or complex as system administrators want to build them. firewall reduces the speed of access to networks.
Every time a corporation connects its internal computer network or LAN to the Internet, it faces potential danger regarding security. due to the Internet’s openness, every corporate network connected to it is vulnerable to virus attacks. crackers on the Internet could break into the corporate network and do harm in a number of ways. Some such methods are the following:
- They could copy or damage important data.
- Damage individual computer data or the entire networking.
- Use the corporate computer’s resources or use the corporate network and resources as a way of posing to be a corporate employee.
The solution for all these problems and many more is to build ‘firewalls’ to protect its network these firewalls allow anyone on the corporate network to access the internet, but they stop crackers, hackers or others bent on doing mischief on the Internet from gaining access to the corporate network and causing damage.
Benefits of Using a Firewall
The main benefits of using a firewall are:
- Protection from services that are inherently more prone to attacks.
- Access to the host in the network can be strictly controlled.
- Security is concentrated on a single firewall system. this leads to better implementation of authentication procedures.
- Logging and statistics of network use and misuse.
- Policy enforcement.
A firewall uses a variety of architectures to manage access control. these are:
- Packet-Filtering Firewalls
- Proxy Firewalls
- Stageful Inspection
This type of firewall examines all the packets it comes across. it forwards them or drops them based on pre-defined rules. this rudimentary firewall provides only basic protection. packet filtering firewalls are restrictive since network managers can only define a few parameters.
Many routers and proxy servers use some form of packet filtering that provides firewall capabilities for protecting the network from unauthorized traffic. administrators can create rules for filtering out unwanted packets and can arrange these rules in the most efficient order. A packet that passes all the rules is only allowed through, while a packet that violates any rule is dropped.
Packet filtering can be implemented on routers and other devices in two ways:
- Static Filtering
- Dynamic Filtering
Static packet filtering provides limited security by configuring selected ports as either permanently open or permanently closed. for example, to deny outside packets access to a company intranet server on port 80 (the standard port number for the Hypertext Transfer Protocol or HTTP) one could configure the router or firewall to block all incoming packets directed toward port 80.
Dynamic packet filtering provides enhanced security. it acts by allowing selected ports to be opened at the start of a legitimate session and then close at the end of the session. this is particularly useful for protocols that allocate ports dynamically – for example, with the File Transfer Protocol (FTP).
Application-level Firewall (Application Gateway)
An application-level firewall (or application gateway) is part of a proxy server. application gateways do not allow any packets to pass directly between the two networks they connect. instead, proxy applications running on the firewall computer forward requests to services on the private network. then forward responses to the originators on the unsecured public network. application gateways authenticate the credentials of a user before allowing access to the network.
They use auditing and logging mechanism as part of the security policy. application gateways require some configuration on the part of users to enable their client machines to function properly. For example, if a File Transfer Protocol (FTP) proxy is configured on an application gateway, it can be configured to allow some FTP commands but deny others.
One could configure an SMTP (Simple Mail Transfer Protocol) proxy on an application gateway that would accept mail from the outside (without revealing internal e-mail addresses), and then forward the mail to the internal mail server. However, because of the additional processing overhead, application gateways have advanced hardware requirements and are slower than network-level firewalls.
This type of firewall acts as an intermediary of user requests, setting up a second connection to the desired resource either at the application layer (an application proxy) or at the session or transport layer (a circuit relay). proxy firewalls tend to take a performance hit since it relies on the application layer. they are restrictive when it comes to allowing or denying evolving or new types of applications.
Stageful Inspection Firewalls
These are the new generation of firewall technology patented by Check Point Software Technologies. Stageful Inspection provides full application-layer awareness without requiring a separate proxy for every service to be secured. this results in multiple benefits to customers including excellent performance, reliability, and the ability to support new and custom applications and services quickly and easily.
Stageful inspection architecture is unique in that it understands the state of any communication through the firewall machine, including packet, connection, and application information. Packet filters do not track the application or connection state. application proxies rack only application state, not packet or connection state which may introduce some vulnerabilities.
One of the best free firewall products available is ZoneAlarm from Zone Labs which is available free of cost and can be downloaded from the company’s site at www.zonelabs.com. it provides protection for Internet users. combining the safety of a dynamic firewall with total control over applications’ internet use, ZoneAlarm gives rock-solid protection against thieves and vandals.
ZoneAlarm makes ironclad Internet security easy to use. ZoneAlarm protects you from malicious programs, like Spyware and Trojan horses, by allowing you to control your computer’s Internet traffic and how applications access the Internet.
What Constitutes a Good Firewall System?
Firewalls can protect the network environment. but what constitutes a good firewall? the answer actually depends on on-site security requirements. however, one should always check for the following attributes in a firewall:
- The firewall should be able to support a “deny all services except those specifically permitted” design policy, used.
- The firewall should be flexible. it should be able to accommodate new services and needs if the security policy of the organization warrants so.
- The firewall should contain advanced authentication measures.
- The firewall should employ filtering techniques to permit or deny services to specified host systems as and when needed.
- The firewall should use proxy services for File Transfer Protocol (FTP) and TELNET (TELecommunication NETwork) so that advanced authentication measures can be employed and centralized. if services such as gopher or HTTP are required, the firewall should contain the corresponding proxy services.
- The firewall should accommodate public access to the site, such that public information servers can be protected by the firewall but can be segregated from the site system that does not require public access.
- The firewall should contain mechanisms for logging traffic and suspicious activity and should contain mechanisms for log reduction so that logs are readable and understandable.
- If the firewall requires an operating system such as Unix, a secured version of the operating system should be part of the firewall.